Tags: xsleaks web
Rating:
#### Computeration (web, 14 solves, 333 points)
> Can you get admin's note? I heard the website runs >only on client-side so should be secure...
>
> https://computeration.web.jctf.pro/
>
> If you find anything interesting give me call here: https://computeration.web.jctf.pro/report
>
>The flag is in the format: justCTF{[a-z_]+}.
>
>Happy hacking!!
#### Intended solution
The challenge was a simple, static, client-side page that allowed to store some notes in the localstorage.
**ReDoS**
Added notes could be searched through via regular expression:
```javascript
const reg = new RegExp(decodeURIComponent(location.hash.slice(1)));
```
This part of the code triggered when there was `onhashchange` event triggered.
Because the attacker can control the location hash of the window/frame and also Regular Expressions are vulnerable to [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) attacks, it's possible to send a malicious expression that will evaluate longer if it matches the secret.
*One can find the technique in the amazing blog: [A Rough Idea of Blind Regular Expression Injection Attack](https://diary.shift-js.info/blind-regular-expression-injection/).*
**Code execution timing**
When playing another CTF in the past I found a way of measuring the time of code executions of cross-origin documents. This is described in the [Busy Event Loop](https://xsleaks.dev/docs/attacks/timing-attacks/execution-timing/) article from the amazing XS-Leaks wiki ([xsleaks.dev](https://xsleaks.dev)). **Highly recommend reading and contributing!**
And the challenge was basically about combining these two presented techniques and developing an exploit.
**The exploit**
There was an optimization enabled for the bot that it would close the page when it has loaded. To prevent that, the player had to stall loading the page for longer *(it can be for example done with an image that is never loading)*. When the player did that, the bot would spend around 10 seconds. My script was able to fetch 2-3 characters of the flag per run. It was enough though, with repeating the process multiple times, the player could easily get the flag. I was considering making a challenge that required to leak all the secret at one shot, but I decided not to.
There was also another issue with the bot that once they had been "redossed", it wasn't trivial to restore the blocked thread in the event loop. Not sure why, maybe it exhausted all the resources. Instead, I was sending the following payload which didn't have this issue.
```regexp
^(?=${flag_prefix}).*.*.*.*.*.*.*.*!!!!$
```
It was slowing down the execution of the regular expression in a way that was detectable from a cross-origin page, but wasn't exploding it exponentially.
I developed a [PoC](https://terjanq.me/justCTF2020/computeration-parent.html) that leaks the flag byte-by-byte.
`view-source:https://terjanq.me/justCTF2020/computeration.html` will show the commented code of the exploit.
